From 50dbfa23f5f1aa959bc1ca73770fab1f89caf3be Mon Sep 17 00:00:00 2001 From: schwarze Date: Thu, 1 Jan 2015 18:10:09 +0000 Subject: [PATCH] Fix a read buffer overrun triggered by trailing \s- or trailing \s+ without the required subsequent argument; found by jsg@ with afl. --- regress/usr.bin/mandoc/roff/esc/Makefile | 4 ++-- regress/usr.bin/mandoc/roff/esc/ignore.in | 4 +++- regress/usr.bin/mandoc/roff/esc/ignore.out_ascii | 3 ++- regress/usr.bin/mandoc/roff/esc/ignore.out_lint | 1 + usr.bin/mandoc/mandoc.c | 8 ++++---- 5 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 regress/usr.bin/mandoc/roff/esc/ignore.out_lint diff --git a/regress/usr.bin/mandoc/roff/esc/Makefile b/regress/usr.bin/mandoc/roff/esc/Makefile index 5327ae0077c..92db491a430 100644 --- a/regress/usr.bin/mandoc/roff/esc/Makefile +++ b/regress/usr.bin/mandoc/roff/esc/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.8 2014/12/03 01:06:22 schwarze Exp $ +# $OpenBSD: Makefile,v 1.9 2015/01/01 18:10:09 schwarze Exp $ REGRESS_TARGETS = one two multi B c c_man e f h w z ignore -LINT_TARGETS = B h w +LINT_TARGETS = B h w ignore # Postprocessing to remove "character backspace" sequences # unless they are followed by the same character again. diff --git a/regress/usr.bin/mandoc/roff/esc/ignore.in b/regress/usr.bin/mandoc/roff/esc/ignore.in index a7350b87cc1..4be7fb6c94a 100644 --- a/regress/usr.bin/mandoc/roff/esc/ignore.in +++ b/regress/usr.bin/mandoc/roff/esc/ignore.in @@ -1,4 +1,4 @@ -.Dd May 28, 2012 +.Dd January 1, 2015 .Dt ESC-IGNORE 1 .Os OpenBSD .Sh NAME @@ -10,3 +10,5 @@ multiform: a\kxb\k(xyc\k[xyz]d quoted: a\R'myreg 0'b\R'myreg \A'y'0'c .br sizes: a\s0b\s(12c\s[123]d\s'123'e\s'1\w'xy'2'f +.br +signed sizes: a\s-0b\s-(12c\s-[123]d\s-'123'e\s-'1\w'xy'2'f\s- diff --git a/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii b/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii index f147aa396a8..5e41d49afa2 100644 --- a/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii +++ b/regress/usr.bin/mandoc/roff/esc/ignore.out_ascii @@ -7,5 +7,6 @@ DDEESSCCRRIIPPTTIIOONN multiform: abcd quoted: abc sizes: abcdef + signed sizes: abcdef -OpenBSD May 28, 2012 OpenBSD +OpenBSD January 1, 2015 OpenBSD diff --git a/regress/usr.bin/mandoc/roff/esc/ignore.out_lint b/regress/usr.bin/mandoc/roff/esc/ignore.out_lint new file mode 100644 index 00000000000..c163d60d0de --- /dev/null +++ b/regress/usr.bin/mandoc/roff/esc/ignore.out_lint @@ -0,0 +1 @@ +mandoc: ignore.in:14:60: WARNING: invalid escape sequence: \s- diff --git a/usr.bin/mandoc/mandoc.c b/usr.bin/mandoc/mandoc.c index 16c4f026ee5..362edb9a724 100644 --- a/usr.bin/mandoc/mandoc.c +++ b/usr.bin/mandoc/mandoc.c @@ -1,7 +1,7 @@ -/* $OpenBSD: mandoc.c,v 1.57 2014/12/15 17:29:58 schwarze Exp $ */ +/* $OpenBSD: mandoc.c,v 1.58 2015/01/01 18:10:09 schwarze Exp $ */ /* - * Copyright (c) 2008, 2009, 2010, 2011 Kristaps Dzonsons - * Copyright (c) 2011, 2012, 2013, 2014 Ingo Schwarze + * Copyright (c) 2008-2011, 2014 Kristaps Dzonsons + * Copyright (c) 2011-2015 Ingo Schwarze * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -223,7 +223,7 @@ mandoc_escape(const char **end, const char **start, int *sz) /* See +/- counts as a sign. */ if ('+' == **end || '-' == **end || ASCII_HYPH == **end) - (*end)++; + *start = ++*end; switch (**end) { case '(': -- 2.20.1